#!/bin/sh
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

mkdir tmp
cd tmp
dd if=/dev/urandom bs=512 count=1 of=noise
echo "" > pwfile

certutil -d . -N -f pwfile

certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
5
6
9
n
y

n
3
.example
1
n
n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT


certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
5
6
9
n
y

n
3
foo.example
1
y
5
O=Foo,st=ca,c=us
1
n
n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
5
6
9
n
y

n
3
.example
1
n
n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

#DCISS copy certs
certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
5
6
9
n
y

n
5
6
7
9
n
CERTSCRIPT

#the following cert MUST not pass
certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT

#the following cert MUST pass
certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
0
2
3
4
9
n
n

y
0
1
9
n
CERTSCRIPT



certutil -d . -L -n ca -r > NameConstraints.ca.cert
certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
certutil -d . -L -n server1 -r > NameConstraints.server1.cert
certutil -d . -L -n server2 -r > NameConstraints.server2.cert
certutil -d . -L -n server3 -r > NameConstraints.server3.cert
certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
certutil -d . -L -n server4 -r > NameConstraints.server4.cert
certutil -d . -L -n server5 -r > NameConstraints.server5.cert
certutil -d . -L -n server6 -r > NameConstraints.server6.cert
certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert
certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert
certutil -d . -L -n server7 -r > NameConstraints.server7.cert
certutil -d . -L -n server8 -r > NameConstraints.server8.cert
certutil -d . -L -n server9 -r > NameConstraints.server9.cert
certutil -d . -L -n server10 -r > NameConstraints.server10.cert
certutil -d . -L -n server11 -r > NameConstraints.server11.cert
certutil -d . -L -n server11 -r > NameConstraints.server11.cert
certutil -d . -L -n server12 -r > NameConstraints.server12.cert
certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
certutil -d . -L -n server13 -r > NameConstraints.server13.cert
certutil -d . -L -n server14 -r > NameConstraints.server14.cert
certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
certutil -d . -L -n server15 -r > NameConstraints.server15.cert
certutil -d . -L -n server16 -r > NameConstraints.server16.cert
certutil -d . -L -n server17 -r > NameConstraints.server17.cert
certutil -d . -L -n dcisscopy -r >  NameConstraints.dcisscopy.cert
certutil -d . -L -n dcissblocked -r >  NameConstraints.dcissblocked.cert
certutil -d . -L -n dcissallowed -r >  NameConstraints.dcissallowed.cert

echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"
